Search code examples
javascriptsamlkeycloakmapper

Transforming LDAP group memberships to SAML Attributes in Keycloak


I need to transform the group memberships from an external LDAP directory into a SAML attribute within a SAML session using Keycloak. There will be an undefined number of group memberships for each user. The group name will have a tenant ID for Amazon AWS and the defined role for the user within Amazon (eg. AWS-11111111111-Administrator), so I am quite sure that the way has to be to use the JavaScript Mapper in the client configuration and do some substring modification.

  • Is there a way to test the Javascript somehow without having to try and error / login and check SAML session?
  • how do I get the Groups as String Values from the LDAP User in the Javascript Mapper in Keycloak?

Example for LDAP Groups (Muliple Groups per user)

AWS-11111111111-Administrator
AWS-11111111111-Contributer

SAML Attributes will have to look like:

arn:aws:iam::11111111111:saml-provider/ProviderName,arn:aws:iam::11111111111:role/Administrator
arn:aws:iam::11111111111:saml-provider/ProviderName,arn:aws:iam::11111111111:role/Contributer

Solution

  • I helped myself with this. The biggest part of the issue for me was the missing "test-button" to verify what the code is doing. Also, finding out that a simple Java Script Array is not iterated at the end (other than the Mouse-Over hints are saying).

    You need to keep in mind that this is the server-side Nashorn interpreter so it has not much to do with Javascript that usually runs in the browser... sorry for potentual inaccuracy within my question:

    /**
    
    
     * Available variables: 
     * user - the current user
     * realm - the current realm
     * clientSession - the current clientSession
     * userSession - the current userSession
     * keycloakSession - the current userSession
     */
    
    
    //insert your code here...
    
    
    // use the Identifier variable to filter the relevant groups for this client
    var identifier = 'aws'; 
    
    var StringArray = Java.type("java.lang.String[]");
    var ArrayList = Java.type('java.util.ArrayList');
    
    var GroupSet = user.getGroups();
    var Output = new ArrayList();
    var identifier = identifier.toLowerCase();
    
    for each (var group in GroupSet) {
        if (group.getName().toLowerCase().contains(identifier)){
        var GroupNameArray = (group.getName().split('-'));
        var tenant = GroupNameArray[2];
        var role = GroupNameArray[3];
        Output.add("Arn:aws:iam::"+tenant+":saml-provider/company,arn:aws:iam::"+tenant+":role/"+role);
        }
    }
    
    Output;